Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Disaster Recovery

WWE Exposes Details of 3 Million Customers on AWS

In what is likely to be an operator or technician error, WWE left unencrypted personal details of more than 3 million customers exposed on AWS in at least two separate databases. The issue was reported to WWE on July 4, and the company swiftly removed them.

According to a report in Forbes, the discovery was made by a Kromtech researcher named Bob Dyachenko.

In what is likely to be an operator or technician error, WWE left unencrypted personal details of more than 3 million customers exposed on AWS in at least two separate databases. The issue was reported to WWE on July 4, and the company swiftly removed them.

According to a report in Forbes, the discovery was made by a Kromtech researcher named Bob Dyachenko.

WWE has acknowledged the incident with a brief statement on its website: “Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured. WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.”

There is no indication in this statement over whether the database may or may not have been accessed or downloaded by anyone other than Mr Dyachenko.

According to Forbes, all the stored data was held in plaintext, and included educational background, earnings and ethnicity, home and email addresses, birthdates, and customers’ children’s age ranges and genders where supplied.” Holding children’s age, sex and home addresses will be particularly concerning for privacy advocates. 

Although the WWE statement implies a single database, it seems that a second database contained European customer data; specifically comprising “reams of information primarily on European fans, though the information contained only addresses, telephone numbers and names…”

That second database is worth considering, since names, addresses and telephone numbers will be considered protected personal information under European laws. 

“Organizations like WWE which inadequately value subscriber data will, from May 2018, find themselves exposed also to GDPR fines,” warned Alan Calder, founder and executive chairman of IT Governance Ltd in an emailed comment. “A personal data breach on this scale would have to be reported to an EU supervisory authority and could well lead to a significant fine for failing to protect personal data.”

Advertisement. Scroll to continue reading.

GDPR can impose penalties of up to €20 million or 4% of global turnover, whichever is the greater; and that this can be imposed even though the company may be American, located in America, and storing the data on an American server.

This is not the first time in recent weeks that AWS customers have left data exposed. Last month, three contractors left 1 terabytes of data (including the details of 198 million American voters) on an unprotected AWS S3 bucket. There have been calls for Amazon to highlight sensitive data stored insecurely; but it is the customers’ responsibility to protect it.

Even if security firms are employed by the data owner (or ‘controller’, in this case WWE), regulatory responsibility for protecting that data almost always remains with the controller under European law. SecurityWeek has reached out to both the WWE-named security firms (Smartronix and Praetorian) and will update this article with any response.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.